Mustafa-Online

PW Security - Remote OS Command Injection

Recommended Posts

I built a website using "Processwire"  and i ran a security check using "ZAP Scanning Report" - The Result is :

.

How to fix this issue ?

.pw_sec.thumb.PNG.b81d4eddabb422721cdfbe1382d35560.PNG
 

 

Share this post


Link to post
Share on other sites

What file type was flagged by zap: php, js, html, ... ? How did you rule out false flag or not ?

Share this post


Link to post
Share on other sites
11 minutes ago, pwired said:

What file type was flagged by zap: php, js, html, ... ? How did you rule out false flag or not ?

I'm not a security guy, I don't know - it's all in the screen-shot. (the scan is done by someone else)

Share this post


Link to post
Share on other sites

These look like false positives, especially given the last one (a CSS file served by Apache). What's happening here is that your server is taking a long time to respond to the requests, and the testing tool is making the assumption that because it responded slowly, it must have executed the command it sent (sleep and timeout). Most likely your server took a long time to respond to the request because that testing tool is hitting the server hard, and it's either struggling to keep up, or it's throttling the tool, limiting how many requests it'll respond to at once. It's also possible you've got another server-side security tool that is detecting something trying to mess with it, and interrupting the request.

With a tool like ZAP, false positives can happen, so you should use it to find where to look, but use the information it gives you to confirm on your own whether it's an issue or not. And if you ever think you've found some security an issue in any software, contact the author directly, don't post it in a public forum.

The only other thing I'd suggest is to look at your site template that serves the first URL it mentions, and check if you are using a GET variable named "query", and if so what you are doing with it. However, I think this is unlikely given that it's reporting the same error on a CSS file, which is served directly by Apache, not ProcessWire. 

  • Like 5

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.